chore(deps): update kubezero-ci-dependencies

charts/envoy-ratelimit/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: envoy-ratelimit
 description: Envoy gobal ratelimiting service - part of KubeZero
 type: application
-version: 0.1.2
+version: 0.1.0
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:

charts/envoy-ratelimit/templates/config-statds-exporter.yaml

@@ -0,0 +1,106 @@
+{{- if .Values.metrics.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ratelimit-statsd-exporter-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kubezero-lib.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    defaults:
+      ttl: 1m # Resets the metrics every minute
+    mappings:
+      - match:
+          "ratelimit.service.rate_limit.*.*.near_limit"
+        name: "ratelimit_service_rate_limit_near_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.over_limit"
+        name: "ratelimit_service_rate_limit_over_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.total_hits"
+        name: "ratelimit_service_rate_limit_total_hits"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.within_limit"
+        name: "ratelimit_service_rate_limit_within_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.near_limit"
+        name: "ratelimit_service_rate_limit_near_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.over_limit"
+        name: "ratelimit_service_rate_limit_over_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.total_hits"
+        name: "ratelimit_service_rate_limit_total_hits"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.rate_limit.*.*.*.within_limit"
+        name: "ratelimit_service_rate_limit_within_limit"
+        timer_type: "histogram"
+        labels:
+          domain: "$1"
+          key1: "$2"
+          key2: "$3"
+      - match:
+          "ratelimit.service.call.should_rate_limit.*"
+        name: "ratelimit_service_should_rate_limit_error"
+        match_metric_type: counter
+        labels:
+          err_type: "$1"
+      - match:
+          "ratelimit_server.*.total_requests"
+        name: "ratelimit_service_total_requests"
+        match_metric_type: counter
+        labels:
+          grpc_method: "$1"
+      - match:
+          "ratelimit_server.*.response_time"
+        name: "ratelimit_service_response_time_seconds"
+        timer_type: histogram
+        labels:
+          grpc_method: "$1"
+      - match:
+          "ratelimit.service.config_load_success"
+        name: "ratelimit_service_config_load_success"
+        match_metric_type: counter
+        ttl: 3m
+      - match:
+          "ratelimit.service.config_load_error"
+        name: "ratelimit_service_config_load_error"
+        match_metric_type: counter
+        ttl: 3m
+      - match: "."
+        match_type: "regex"
+        action: "drop"
+        name: "dropped"
+{{- end }}

charts/envoy-ratelimit/templates/deployment.yaml

@@ -16,7 +16,7 @@ spec:
         app: ratelimit
     spec:
       containers:
-      - image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+      - image: envoyproxy/ratelimit:b42701cb # 2021/08/12
         imagePullPolicy: IfNotPresent
         name: ratelimit
         command: ["/bin/ratelimit"]
@@ -28,11 +28,13 @@ spec:
         - name: REDIS_SOCKET_TYPE
           value: tcp
         - name: REDIS_URL
-          value: ratelimit-valkey:6379
+          value: ratelimit-redis:6379
-        - name: USE_PROMETHEUS
-          value: "true"
         - name: USE_STATSD
-          value: "false"
+          value: "true"
+        - name: STATSD_HOST
+          value: "localhost"
+        - name: STATSD_PORT
+          value: "9125"
         - name: RUNTIME_ROOT
           value: /data
         - name: RUNTIME_SUBDIRECTORY
@@ -44,8 +46,8 @@ spec:
         - name: LOCAL_CACHE_SIZE_IN_BYTES
           value: "{{ default 0 .Values.localCacheSize | int }}"
         ports:
-        - containerPort: 8081
         #- containerPort: 8080
+        - containerPort: 8081
         #- containerPort: 6070
         volumeMounts:
         - name: ratelimit-config
@@ -57,7 +59,27 @@ spec:
           limits:
             cpu: 1
             memory: 256Mi
+      - name: statsd-exporter
+        image: docker.io/prom/statsd-exporter:v0.21.0
+        imagePullPolicy: Always
+        args: ["--statsd.mapping-config=/etc/statsd-exporter/config.yaml"]
+        ports:
+          - containerPort: 9125
+        #  - containerPort: 9102
+        resources:
+          requests:
+            cpu: 50m
+            memory: 32Mi
+          limits:
+            cpu: 200m
+            memory: 64Mi
+        volumeMounts:
+          - name: statsd-exporter-config
+            mountPath: /etc/statsd-exporter
       volumes:
       - name: ratelimit-config
         configMap:
           name: ratelimit-config
+      - name: statsd-exporter-config
+        configMap:
+          name: ratelimit-statsd-exporter-config

charts/envoy-ratelimit/templates/redis-deployment.yaml

@@ -1,24 +1,24 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: ratelimit-valkey
+  name: ratelimit-redis
   namespace: {{ .Release.Namespace }}
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: ratelimit-valkey
+      app: ratelimit-redis
   template:
     metadata:
       labels:
-        app: ratelimit-valkey
+        app: ratelimit-redis
     spec:
       containers:
-      - image: valkey/valkey:8.1-alpine3.21
+      - image: redis:6-alpine
         imagePullPolicy: IfNotPresent
-        name: valkey
+        name: redis
         ports:
-        - name: valkey
+        - name: redis
           containerPort: 6379
       restartPolicy: Always
       serviceAccountName: ""

charts/envoy-ratelimit/templates/redis-service.yaml

@@ -1,13 +1,13 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: ratelimit-valkey
+  name: ratelimit-redis
   namespace: {{ .Release.Namespace }}
   labels:
-    app: ratelimit-valkey
+    app: ratelimit-redis
 spec:
   ports:
-  - name: valkey
+  - name: redis
     port: 6379
   selector:
-    app: ratelimit-valkey
+    app: ratelimit-redis

charts/envoy-ratelimit/templates/service.yaml

@@ -20,8 +20,8 @@ spec:
   #  targetPort: 6070
   #  protocol: TCP
   - name: http-monitoring
-    port: 9090
+    port: 9102
-    targetPort: 9090
+    targetPort: 9102
     protocol: TCP
   selector:
     app: ratelimit

charts/envoy-ratelimit/values.yaml

@@ -1,8 +1,3 @@
-image:
-  repository: envoyproxy/ratelimit
-  # see: https://hub.docker.com/r/envoyproxy/ratelimit/tags
-  tag: 80b15778
-
 log:
   level: warn
   format: json
@@ -13,26 +8,19 @@ localCacheSize: 1048576
 # Wether to block requests if ratelimiting is down
 failureModeDeny: false
 
-# rate limit descriptors for each domain
+# rate limit descriptors for each domain, examples 10 req/s per sourceIP
-# - slow: 1 req/s over a minute per sourceIP
 descriptors:
   ingress:
-  - key: speed
+  - key: remote_address
-    value: slow
+    rate_limit:
-    descriptors:
+      unit: second
-    - key: remote_address
+      requests_per_unit: 10
-      rate_limit:
-        unit: minute
-        requests_per_unit: 60
 
   privateIngress:
-  - key: speed
+  - key: remote_address
-    value: slow
+    rate_limit:
-    descriptors:
+      unit: second
-    - key: remote_address
+      requests_per_unit: 10
-      rate_limit:
-        unit: minute
-        requests_per_unit: 60
 
 metrics:
-  enabled: false
+  enabled: true

charts/kubezero-ci/Chart.yaml

@@ -30,7 +30,7 @@ dependencies:
     repository: https://aquasecurity.github.io/helm-charts/
     condition: trivy.enabled
   - name: renovate
-    version: 39.182.4
+    version: 39.182.3
     repository: https://docs.renovatebot.com/helm-charts
     condition: renovate.enabled
 kubeVersion: ">= 1.25.0"

charts/kubezero-ci/values.yaml

@@ -16,10 +16,6 @@ gitea:
     claimName: data-gitea-0
     size: 4Gi
 
-  service:
-    http:
-      port: 80
-
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
@@ -302,7 +298,7 @@ renovate:
     LOG_FORMAT: json
   cronjob:
     concurrencyPolicy: Forbid
-    jobBackoffLimit: 2
+    jobBackoffLimit: 3
     schedule:	"0 3 * * *"
     successfulJobsHistoryLimit: 1
 

charts/kubezero-istio/Chart.yaml

@@ -16,7 +16,7 @@ dependencies:
     version: 0.2.1
     repository: https://cdn.zero-downtime.net/charts/
   - name: envoy-ratelimit
-    version: 0.1.2
+    version: 0.1.0
     repository: https://cdn.zero-downtime.net/charts/
     condition: envoy-ratelimit.enabled
   - name: base

charts/kubezero-istio/README.md

@@ -20,7 +20,7 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.2 |
+| https://cdn.zero-downtime.net/charts/ | envoy-ratelimit | 0.1.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 | https://istio-release.storage.googleapis.com/charts | base | 1.24.3 |
 | https://istio-release.storage.googleapis.com/charts | istiod | 1.24.3 |

charts/kubezero-istio/values.yaml

@@ -56,7 +56,29 @@ kiali-server:
     #url: "kiali.example.com"
 
 
-# for available options see envoy-ratelimit chart
 envoy-ratelimit:
   enabled: false
 
+  log:
+    level: warn
+    format: json
+
+  # 1MB local cache for already reached limits to reduce calls to Redis
+  localCacheSize: 1048576
+
+  # Wether to block requests if ratelimiting is down
+  failureModeDeny: false
+
+  # rate limit descriptors for each domain, examples 10 req/s per sourceIP
+  descriptors:
+    ingress:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10
+
+    privateIngress:
+    - key: remote_address
+      rate_limit:
+        unit: second
+        requests_per_unit: 10

charts/kubezero/templates/istio.yaml

@@ -28,8 +28,8 @@ kiali-server:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 
-{{- with index .Values "istio" "envoy-ratelimit" }}
+{{- with .Values.istio.rateLimiting }}
-envoy-ratelimit:
+rateLimiting:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}